Forget about me, this is indeed not a bug, but instead a wrong setting from my part... stupid me!

I leave the description here in case someone has the same issue and stumbles 
on this poage when searching for support...

|Title|Anonymous View Denied
|Date|26-Apr-2006 18:05:34 EEST
|Version|2.4.0
|Submitter|195.25.133.175
|[Bug criticality]|MediumBug
|Browser version|ie, firefox
|[Bug status]|NotABug
|[PageProvider] used|VersioningFIleProvider
|Servlet Container|Tomcat 5.5.9
|Operating System|Windows XP Pro
|URL|?
|Java version|1.5.0_6

I try to set up a Wiki where only authenticated users are allowed to edit pages.
I grant only "view" access to users with ''Anonymous'' built-in role.
It all works as expected until an authenticated user logs out (and its status falls back to ''asserted''). Then the user cannot view any page, he has to login again.

Here are the relevant sections of my {{jspwiki.policy}}:

{{{
// Guest users
// Note the commented lines, but note too that the "view all pages" permission is explicit.
grant signedBy "jspwiki" 
  principal com.ecyrd.jspwiki.auth.authorize.Role "Anonymous" {
    permission com.ecyrd.jspwiki.auth.permissions.PagePermission "*:*", "view";
    //permission com.ecyrd.jspwiki.auth.permissions.PagePermission "*:*", "edit";
    permission com.ecyrd.jspwiki.auth.permissions.PagePermission "*:Guest*", "edit";
    //permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", "createPages";
    permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", "editPreferences";
    permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", "editProfile";
    permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", "login";
};

// Asserted role: the erreor is here: I simply commented out the "edit" permission,
// and forgot to add a "view" one!
grant signedBy "jspwiki" 
  principal com.ecyrd.jspwiki.auth.authorize.Role "Asserted" {
    //permission com.ecyrd.jspwiki.auth.permissions.PagePermission "*:*", "edit";
    permission com.ecyrd.jspwiki.auth.permissions.PagePermission "*:Guest*", "edit";
    //permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", "createPages";
    permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", "editPreferences";
    permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", "editProfile";
    permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", "login";
};


// Authenticated users:
grant signedBy "jspwiki" 
  principal com.ecyrd.jspwiki.auth.authorize.Role "Authenticated" {
    permission com.ecyrd.jspwiki.auth.permissions.PagePermission "*:*", "modify,rename";
    permission com.ecyrd.jspwiki.auth.permissions.PagePermission "*:Group*", "edit";
    permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", "createPages,createGroups";
    permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", "editPreferences";
    permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", "editProfile";
    permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", "login";
};
}}}

I should have understood it from the logs, where we clearly see that the user name is still recognized (so the user is not ''anonymous'').

{{{
2006-04-26 17:04:20,891 [http-8080-Processor25] INFO SecurityLog BenchesWiki:http://e000433:8080/BenchesWiki/Wiki.jsp - WikiSecurityEvent.ACCESS_DENIED [source=com.ecyrd.jspwiki.auth.AuthorizationManager@5e9f1, princpal=[WikiPrincipal (fullName): Jérôme Duprez], target=("com.ecyrd.jspwiki.auth.permissions.PagePermission","BenchesWiki:Main","view")]
2006-04-26 17:04:20,891 [http-8080-Processor25] INFO com.ecyrd.jspwiki.WikiContext BenchesWiki:http://e000433:8080/BenchesWiki/Wiki.jsp - User Jérôme Duprez has no access - redirecting (permission=("com.ecyrd.jspwiki.auth.permissions.PagePermission","BenchesWiki:Main","view"))
2006-04-26 17:04:20,907 [http-8080-Processor25] INFO SecurityLog BenchesWiki:http://e000433:8080/BenchesWiki/Login.jsp - WikiSecurityEvent.ACCESS_DENIED [source=com.ecyrd.jspwiki.auth.AuthorizationManager@5e9f1, princpal=[WikiPrincipal (fullName): Jérôme Duprez], target=("com.ecyrd.jspwiki.auth.permissions.WikiPermission","BenchesWiki","creategroups")]
2006-04-26 17:04:20,923 [http-8080-Processor25] INFO SecurityLog BenchesWiki:http://e000433:8080/BenchesWiki/Login.jsp - WikiSecurityEvent.ACCESS_DENIED [source=com.ecyrd.jspwiki.auth.AuthorizationManager@5e9f1, princpal=[WikiPrincipal (fullName): Jérôme Duprez], target=("com.ecyrd.jspwiki.auth.permissions.WikiPermission","BenchesWiki","creategroups")]
2006-04-26 17:04:20,923 [http-8080-Processor25] INFO SecurityLog BenchesWiki:http://e000433:8080/BenchesWiki/Login.jsp - WikiSecurityEvent.ACCESS_DENIED [source=com.ecyrd.jspwiki.auth.AuthorizationManager@5e9f1, princpal=[WikiPrincipal (fullName): Jérôme Duprez], target=("com.ecyrd.jspwiki.auth.permissions.WikiPermission","BenchesWiki","creategroups")]
}}}


----

Hi --

Thanks for posting this. Looks like you found out what the issue is, namely that you didn't include ''view'' permission in the 'asserted' block in the policy file. So yes, it will want to redirect you to the login page after logout, because the user status falls back to 'asserted'.

Another person posted a bug request asking us to change the default behavior of the logout process so that it removes the assertion cookie also. That would cause the user's status to fall back to 'Anonymous'. It's a good idea, and your example gives me another reason why.

Also -- I think what I will do in the next revision of the default {{jspwiki.policy}} file is add a standard block for 'All' users. That will make the grant blocks for the other roles more compact.

--Andrew Jaquith, 28-Apr-2006